GigaOm Radar for Continuous Vulnerability Management (CVM)v4.0

Table of Contents

  1. Executive Summary
  2. Market Categories and Deployment Types
  3. Decision Criteria Comparison
  4. GigaOm Radar
  5. Solution Insights
  6. Analyst’s Outlook
  7. About Chris Ray

1. Executive Summary

Vulnerability management is now a cornerstone of digital security frameworks and should be a part of every organization’s cybersecurity plan. This critical process plays a pivotal role in the discovery of hardware and software assets, presenting a clear overview of the security of an organization’s digital infrastructure.

Along with asset identification, vulnerability management is also vital for exposing potential weak spots in these assets. Such weaknesses could serve as entry points for cyberattackers, allowing them to circumvent otherwise advanced and robust security measures. Once these vulnerabilities are identified, organizations can proactively address them, thereby enhancing their overall cybersecurity posture and reducing the likelihood of successful cyberattacks.

And yet, for all the risk-reducing value that vulnerability management brings, traditional versions of these solutions have two main drawbacks. The first is their emphasis on physical infrastructure, like network devices, servers, and desktops, and the applications that operate on this infrastructure. Although these are still a crucial part of any comprehensive vulnerability management plan, this focus results in limited help in identifying vulnerabilities in other prevalent and emerging technologies.

The second shortcoming is that a traditional solution provides a snapshot of an organization’s vulnerabilities at a specific moment only. After running a scan and analyzing the data, plans are then created to address these particular vulnerabilities. But in a dynamic DevOps environment, this snapshot can quickly become outdated. It’s highly possible that today’s vulnerabilities may not exist tomorrow, or they may appear and disappear intermittently. As a result of these two limitations especially, traditional vulnerability management struggles to support DevOps practices effectively.

The next evolution in this field is continuous vulnerability management (CVM). This approach starts with the network-based infrastructure and application scanning from traditional vulnerability management, then augments it with ongoing methods that now include scanning container images, infrastructure-as-code (IaC) manifests, cloud configurations, cloud identities, and other cloud-native technologies. We believe that CVM has overtaken traditional vulnerability management techniques due to the widespread adoption of public cloud resources and DevOps practices.

This is our fourth year evaluating the CVM space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 20 of the top CVM solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading CVM offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.